Neo23x0/Loki

Huge amount of PE-Sieve process replaced warnings

Sirbu opened this issue · 4 comments

Sirbu commented

I ran Loki on several Windows/Linux machines, and I regularly get more than a hundred Warning messages for all kinds of processes (firefox for exemple) :

20180910T09:43:16Z [hostname] LOKI: Warning: MODULE: ProcessScan MESSAGE: PE-Sieve reported replaced process PID: 9432 NAME: firefox.exe OWNER: [username] CMD: "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="8792.69.1317586373\549569501" -childID 10 -isForBrowser -prefsHandle 4372 -prefsLen 11889 -schedulerPrefs 0001,2 -parentBuildID 20180830143136 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 8792 "\\.\pipe\gecko-crash-server-pipe.8792" 960 tab PATH: C:\Program Files (x86)\Mozilla Firefox\firefox.exe REPLACED: 1

But I doubt all of them are used for process hollowing, which is what this warning means if I am correct.
Is it a false positive ?

I don't see these Warnings with running Firefox browsers in my testing environment.

Sirbu commented

Well, I'll have to investigate a bit, and learn a few things on how to detect process hollowing in order to fully understand this problem. Could you quickly summarize or guide me to an explanation of how pe-sieve does this check ?

You should better ask the developer of PE-Sieve
https://github.com/hasherezade/pe-sieve

https://github.com/hasherezade/pe-sieve/wiki/1.-FAQ Might be your AV hooking into those apps.